Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
TFTP and VPN
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
TFTP and VPN - 24.Nov.2008 8:56:55 AM
|
|
|
banthorpe
Posts: 7
Joined: 24.Nov.2008
Status: offline
|
Ok - I've got an odd one here and am looking for suggestions.
Here's my setup:
Internal network (192.168.1.x) : MSFT infrastructure and Cisco call manager
Permieter network (10.1.1.x) : some MSFT servers
External network: the Internet
VPN Clients (172.16.10.x)
Both Perimeter and VPN clients are routed to the Internal network (no NAT) and have an access rule for All Outbound Protocols enabled.
Problem - TFTP clients on VPN network timeout when downloading from TFTP server
If I fire up the basic windows TFTP client on any server in the perimeter network I can successfully download anything from the CallManager TFTP service.
However, if I do the same from a laptop once it has established the VPN to the ISA server, I get timeouts on the connection.
If I look at a wireshark trace on the VPN adapater (on the ISA server) I can see the request from the client followed by the server response (I can even see the content in the requested file). However, the TFTP server just keeps trying to send the file back to the client with no luck. There are no errors.
FYI - HTTP requests to the CallManager server (user admin etc.) work fine so I know there is no problem with routing. This is solely TFTP at fault.
Any help?
-Dave
|
|
|
|
|
RE: TFTP and VPN - 25.Nov.2008 11:44:34 AM
|
|
|
adimcev
Posts: 85
Joined: 19.Oct.2008
Status: offline
|
The problem with TFTP is that the client connects from say UDP source port X to destination UDP 69(read or write request), and then the server replies from a new source UDP port Y to the client port X. And after that the client connects with source port X to destination port Y.
And unfortunately we do not have a TFTP filter on ISA to intelligently follow the conversation.
There are two solution that I used to make this work for my personal needs with TFTP(ISA 2006, domain member):
1. Install FWC on the VPN user's machine. Note that the FWC will send the logged user's credentials, so if your ISA's access rules allow access for certain users, make sure the appropiate credentials are used(as you may know with ISA, you can allow certain protocols for certain VPN users, without the need of the FWC on the VPN user's machines, the VPN user's credentials being used), if the VPN client machine is not a domain member or so.
Then on ISA, create an access rule, from VPN Clients to TFTP server, custom protocol: UDP port range 69 Send and add secondary connections for UDP port range 0 Receive and for UDP port range 1-65535 Send, for the needed VPN user.
2. Or without FWC, create two access rule on ISA:
- from VPN Clients to TFTP server, define a custom protocol: UDP port range 1-65535 Send Receive and no secondary connections, for the needed user(s).
- from TFTP server to VPN Clients, the same newly defined custom protocol: UDP port range 1-65535 Send Receive and no secondary connections, for All Users this time.
If you want to restrict a little bit the rules, you can give a specific IP address to a specific VPN user, create a new computer object on ISA for this IP address, and replace the general VPN Clients network with the new computer object(ISA will know when the VPN user connects that this computer is part of the VPN Clients network).
And you may adjust the port range of the protocols if you can control the local ports pool on the TFTP server.
Adrian
_____________________________
Blog: http://www.carbonwind.net/blog
Get Our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: TFTP and VPN - 25.Nov.2008 12:13:44 PM
|
|
|
banthorpe
Posts: 7
Joined: 24.Nov.2008
Status: offline
|
no such luck I'm afraid - still does not fix it.
I have noticed though (previous to trying your fix) that sometimes the download works so I'm wondering if this is a problem with CallManager rather than ISA? although CallManager TFTP server seems to be doing all the right things.
|
|
|
|
|
RE: TFTP and VPN - 25.Nov.2008 12:37:49 PM
|
|
|
adimcev
Posts: 85
Joined: 19.Oct.2008
Status: offline
|
What solution have you used ?
As I remembered both worked for me(I have them written in a txt file).
Maybe you defined something wrong ?
It's easy to troubleshoot it.
Typically(my case) ISA will deny something.
First check ISA's live log.
Client to server X to 69, allowed.
Server responds: Y to X, allowed.
Client send X to Y, allowed.
Make sure ISA does not denies something. If so, check your rules.
Or use Wireshark and capture the packets, on both sides, client and ISA, to see if the above conversation takes place, and packets are reaching the TFTP server and client.
You may create a test rule, allow everything for all user from VPN Clients to TFTP server, and allow everything for all user from TFTP server to VPN Clients(you basically need all UDP ports in both directions, sort of).
Additionally you may try with a traditional TFTP server like TFTPD32.
Adrian
_____________________________
Blog: http://www.carbonwind.net/blog
Get Our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: TFTP and VPN - 25.Nov.2008 12:48:03 PM
|
|
|
adimcev
Posts: 85
Joined: 19.Oct.2008
Status: offline
|
I did try with callmananger, but TFTP should be TFTP....
The Wireshark traces will show you if so or not.
Adrian
_____________________________
Blog: http://www.carbonwind.net/blog
Get Our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: TFTP and VPN - 25.Nov.2008 1:28:35 PM
|
|
|
banthorpe
Posts: 7
Joined: 24.Nov.2008
Status: offline
|
Ok - so I've completely got rid of CallManager from the problem. I've installed TFTPD32 on an XP box on the "inside" of ISA on the private network. Same problem. If I look at the logs on TFTPD32 it tells me it has timeouts waiting for the ACK
Connection received from 172.16.10.2 on port 53287 [25/11 18:26:59.945]
Read request for file <tftpd32.ini>. Mode netascii [25/11 18:26:59.945]
Using local port 3160 [25/11 18:26:59.945]
TIMEOUT waiting for Ack block #1 [25/11 18:27:08.945]
TIMEOUT waiting for Ack block #1 [25/11 18:27:10.945]
TIMEOUT waiting for Ack block #1 [25/11 18:27:14.945]
< Message edited by banthorpe -- 25.Nov.2008 1:40:20 PM >
|
|
|
|
|
RE: TFTP and VPN - 25.Nov.2008 1:29:41 PM
|
|
|
banthorpe
Posts: 7
Joined: 24.Nov.2008
Status: offline
|
I should also say that there is now a single access rule for VPN clients to the Internal network for "All Outbound Protocols". this I believe should include what you suggested?
by comparing with your debugging steps (I get no errors on ISA btw), it appears that the "Client send X to Y, allowed" step is what is failing as I see no traffic back to ISA after the first 2 exchanges.
< Message edited by banthorpe -- 25.Nov.2008 1:39:51 PM >
|
|
|
|
|
RE: TFTP and VPN - 25.Nov.2008 2:16:03 PM
|
|
|
adimcev
Posts: 85
Joined: 19.Oct.2008
Status: offline
|
Just a part of.
As said above for the test rule, there should be an "All Outbound Protocols" rule from Internal to VPN Clients too, otherwise it will not work.
By the way, just tested this in my lab. TFTPD32 on a server behind ISA.Also TFTP32 client on a XP machine used as a VPN client. Works fine for me either with the solution 1 or 2(so looks to me that nothing has change since I've used TFTP through ISA).
If you want, I can take a couple of print screens with my rules, and send them to you.
Adrian
_____________________________
Blog: http://www.carbonwind.net/blog
Get Our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: TFTP and VPN - 26.Nov.2008 3:36:53 AM
|
|
|
banthorpe
Posts: 7
Joined: 24.Nov.2008
Status: offline
|
Ok - so I did have it in both directions. Just tested from an XP client and it works fine - it looks like it is Vista that is the root of this problem. Anyone seen this before with Vista?
|
|
|
|
|
RE: TFTP and VPN - 16.Dec.2008 3:08:20 PM
|
|
|
adimcev
Posts: 85
Joined: 19.Oct.2008
Status: offline
|
TFTP works on my Vista x64 laptop(TFTP client), I have no problems. Might be a firewall problem ?
Looking at TFTP32's forum, I've noticed a thread about some problems on Vista(see this), apparently there is no clear answer to this thread.
By the way, it seems that TMG will incorporate a TFTP filter, just tested it, works nice.
Adrian
_____________________________
Blog: http://www.carbonwind.net/blog
Get Our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
